Android Serialization Vulnerabilities Revisited (RSAC USA '16)

Feb 27, 2016 • Roee Hay

Next week I will be giving a talk at RSA Conference '16 about Android Serialization vulnerabilities. The talk will focus on a high severity code execution vulnerability in Android discovered last year by my team. The platform vulnerability, CVE-2015-3825 / CVE-2015-3837, allowed a privilege-less malware to practically own the device. For example, it could replace genuine apps with fake ones, and even access their original data. This was clearly bad, so we immediately reported the vulnerability to Google, which took it very seriously and released a patch, available as part of the August '15 Nexus Security BulletIn.

In order to test if your device is still vulnerable, we created a very small app, that tests, by using Java Reflection, if the vulnerable class still exists on the device. The app is available on Google Play and GitHub.

In addition to the platform vulnerability my team has also found similar serialization vulnerabilities in 6 SDKs, used by dozens of apps. It goes without saying that we reported the issue to each of the vendors, which released relevant patches. While I already presented the vulnerability at USENIX WOOT '15 , it was only a 25 mins talk. Luckily at RSA I will get the chance to speak to larger audience with a longer session. The plan is to begin with a brief overview of previous serialization vulnerabilities, dive into Android specifics , present the vulnerability, demonstrate the PoC exploit, and wrap-up with some future reflections on how resilient Android and SDKs/apps are against future vulnerabilities and exploitation. If you are attending RSAC '16, please go ahead and visit my session!